3. April 2014 12:04

The request failed with HTTP status 401: Unauthorized

Filed Under(CRM 2011 | DocumentsCorePack 2011 | CRM 2013 | DocumentsCorePack 2013) By Jin

This article outlines what to do if you get the following failure notice: Request failed wiht HTTP status 401: Unauthorized. 

Requirments: WordMailMerge

... 

Example:

image
Figure 1: WordMailMerge Error The request failed with HTTP status 401: Unauthorized.

Also this error message could occur. 

image
Figure 2: Alternative error message

If you click on the [Create Document]-button, you should get the following error message:

image
Figure 3: Another related error message

Why do you receive these error messages?     
If you are in a Windows Server 2003 functional level domain and the CRM and SharePoint are installed on different servers, you get this error because Windows default security does not allow delegation. This means, that the CRM server is not allowed to forward the user credentials to SharePoint and so, the SharePoint login failes for all anonymous users.
 
Workaround
At the moment, there is only a workaround to overcome this problem. You could select one special user for this. All document and template related connections will be processed via this user and so you have no control about template-security. All WordMailMerge users have the same permissions as the user you select for impersonation. To set this user, open the WordMailMerge web.config in the installation directory (C:\Program Files\PTM EDV-Systeme GmbH\WordMailMerge Server for MS CRM 3\web.config) and add the following line in the system.web-node: <identity impersonate="true" userName="domain\user" password="password"/>.

image
Figure 4: workaround

Another Possible Solution
There is another solution with full functionality. But if you want to apply this solution, you definitely need some knowledge about your network infrastructure and security. Please read the article to end before you change anything!
At the moment it is only tested with SharePoint Server 2007 and SharePoint Services 3.0.

Configuration on Domaincontroller
Open Active Directory Users and Computers on the domain controller and find your CRM Server. Open the properties and go to the Delegation-tab. Change the setting to Trust this computer for delegation to any services (Kerberos only).

image
Figure 5: Configuration on Domaincontroller

Configuration on CRM Server
You must change the authentication provider to Kerberos. To do so, simply follow the Knowledge-Base article from Microsoft.

A short explanation of this step:
1. Open the ISS Manager and find out the Website-ID of the CRM application. See next screenshot:

image
Figure 6: IIS Manager

2. Click on Start, Run ..., enter cmd and click on Enter. Change to C:\inetpub\adminscripts. Enter the following line:
cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders Negotiate,NTLM 
(## stands for the ID you found out in the previous step)

Configuration on SharePoint
First you have to change the IIS Applicationpool User. Please make sure that the NetworkService has enough rights for the SharePoint-database! To change this, open IIS Manager and open the properties of the SharePoint Application Pool. Switch to the Identity-tab page and change the Predefined user to Network Service

image
Figure 7: SharePoint - Properties

Now you can change the SharePoint itself to Kerberos. To do sp, open Start > Administrative Tools > SharePoint 3.0 Central Administration. Go to the Application Management-tab and click on Authentication Providers.

image
Figure 8: Application management window

Please change the Integrated Windows authentication to Negotiate (Kerberos)

image

That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.

Tag Cloud

This will be shown to users with no Flash or Javascript.

Page List